User: Password:
|
|
Subscribe / Log in / New account

Security

Cybersecurity and CISPA

By Jake Edge
May 2, 2012

Depending on whom you listen to, "cybersecurity" is either an enormous national security concern or a largely overblown issue promulgated by those with something to gain. There is little question that there are security threats to computers that emanate from "cyberspace"—though that term might best be relegated to the science fiction where it originated—and that some of those threats could cause serious harm to the infrastructure of the internet and to systems connected to it. But, like most internet "protection" laws, the proposed US "Cyber Intelligence Sharing and Protection Act" (CISPA) does little to actually improve the problem it is slated to solve and is, instead, an enormous overreach into the private communications of internet users.

The ostensible purpose of CISPA is to facilitate the sharing of network traffic information between US government agencies and various US companies to assist in investigating and thwarting internet attacks. While that may sound relatively harmless—possibly even beneficial—the devil, as always, is in the details. In this case, the details aren't very clear; as the bill is written it could allow for nearly limitless internet data collection, with provisions to share that information with the US government, all with little or no oversight. It is, in short, an enormous circumvention of the usual protections against warrantless wiretapping (not that we haven't seen those protections ignored before, of course).

Part of the problem stems from overly vague language in CISPA. The bill only requires that cybersecurity or national security be "one significant purpose" of the government's use of the data being shared. That leaves a lot of wiggle room, not only because the two terms are not well-defined, but also because it allows the use of the data for non-security purposes if some kind of security tie can be made. Earlier versions of the bill specifically mentioned things like copyright enforcement as one of the things that the data could be used for.

CISPA would also shield companies (like ISPs or web sites) from civil and criminal liability for any "good faith" sharing of data. That would severely limit the legal recourse for users harmed by inappropriate data collection or sharing. The government is also shielded from legal recourse unless there is intentional or willful mishandling of the data—notably, negligent handling of the data is protected.

As we have seen time and time again (e.g. the PATRIOT Act, Digital Millennium Copyright Act (DMCA), the Computer Fraud and Abuse Act (CFAA), etc.) the vagueness of computer-related statutes makes them likely to be abused, either by prosecutors, government agents, companies, or private parties, to further aims that are arguably unrelated to the intent of the law—or at least its stated intent.

There have been claims that entering incorrect information in the registration for a web site can be construed as "unauthorized access" under the CFAA for example. Unauthorized access is one of the threats specifically mentioned by CISPA. That could potentially turn anyone who registered a false name or birth date with a social network (or violated the terms of service of some web site) into a cybersecurity threat under the law, which would allow the collection and sharing of their internet traffic. Proponents claim it would never be used that way, of course, but those same claims were made for the CFAA and others.

In an effort to clarify what else the government could use any of the collected data for, the US House approved an amendment to CISPA before passing the measure. Instead of being able to use the data for "any lawful purpose" (assuming it was collected and shared due to some tie to cyber or national security), the amendment narrowed it to five separate uses: "cybersecurity, cyber crime, protecting people from harm, protecting children from exploitation, and national security". While that's better, certainly, it enshrines an expansion of CISPA from strictly being about computer security to cover additional illegal activities. That expansion is part of what worried civil liberties organizations (the Electronic Frontier Foundation (EFF), TechFreedom, American Civil Liberties Union (ACLU), Reporters Without Borders, and on and on). CISPA is sold as protecting computers and networks, but stretches further to protecting exploited children and dealing with "cyber crime".

That's not to say that there isn't good reason to fight those kinds of problems, but there are already tools at hand to do so. Part of the selling point of CISPA is that cybersecurity threats are so fast moving that stopping to get a judge to issue a warrant could cause irreparable harm. That may be true, but it may also be less true for some of the other threats now listed in the House version of CISPA. The "extra" threats probably seem like an obvious addition, but they may really just end up allowing carte blanche fishing expeditions in the internet traffic of those suspected of being some kind of security threat.

Normally, it is the role of judges to impartially look at the reasons that law enforcement has for its suspicions before they grant search warrants. That is meant to provide some "checks and balances" in the system. Circumventing that requirement should not be taken lightly as it is only a question of when, not if, these kinds of provisions will be abused. There may be situations where it does make sense to short-circuit the search warrant process (at least for a short period of time), but it's not at all clear that the bill's proponents have clearly thought that out. Instead, it seems like the "threat du jour"; one that Congress must take action on.

The US Senate will also be considering CISPA sometime soon, though the Obama administration has threatened a presidential veto over privacy concerns. That threat isn't being taken very seriously by some, but passage by the Senate is far from assured anyway. That said, it is a worrisome bill and the EFF and others are gearing up to oppose it in the Senate.

If there truly is a need for some kind of sweeping cybersecurity legislation because existing laws cannot handle some violations—something that hasn't been well articulated by proponents—there are a number of steps that could be taken to make CISPA more palatable to civil liberties and privacy advocates. Adding a mandatory judicial review, reducing the scope to the actual problem being addressed, and not giving blanket protection against "good faith" misuse of the data to the government and internet carriers and providers would all be steps in the right direction. Unfortunately, while there have been amendments made, the core problems with CISPA remain.

While it may be tempting to write this off as a "US problem", passage of CISPA is likely to affect internet users worldwide. Large chunks of internet traffic pass through the US, which would make it vulnerable to collection. In addition, many internet services are based in the US, and those US companies might well be asked to hand over data on those in other countries perceived to be security threats. In fact, the supposed intent of CISPA is to protect against threats from "overseas".

In the end, CISPA is a poorly thought out, knee-jerk reaction to a real problem. The scope and severity of that problem is not well understood, however, and there is a burgeoning cybersecurity industry that is, at a minimum, cheerleading for tougher measures like this one. That's not a recipe for good legislation. CISPA is just another in a long line of proposed and enacted legislation with a stated intent that is far different from the language in the bill itself. But it is certainly something to keep an eye on.

Comments (9 posted)

Brief items

Security quotes of the week

Gadzooks. A scared populace is much more willing to pour money into the cyberwar arms race.
-- Bruce Schneier

Structurally, the economics of cybercrimes like spam and password-stealing are the same as those of fishing. Economics long ago established that common-access resources make for bad business opportunities. No matter how large the original opportunity, new entrants continue to arrive, driving the average return ever downward. Just as unregulated fish stocks are driven to exhaustion, there is never enough “easy money” to go around.
-- Dinei Florêncio and Cormac Herley in The New York Times

As background, [Luigi] Auriemma explains that when the device receives a controller packet it displays message informing users that a new ‘remote’ has been detected, and prompts the user to ‘allow’ or ‘deny’ access. Included with this remote packet is a string field used for the name of device. Auriemma found that if he altered the name string to contain line feed and other invalid characters, the device would enter an endless loop.

Auriemma claims that nothing really happens for the first five seconds, but then he lost control of the TV, both manually on the control panel and with the remote. Then after another five seconds, he claims, the TV [automatically] restarts. Then the process repeats itself forever, even after unplugging the TV. Eventually, Auriemma managed to reset the TV in service mode. He writes that users can avoid the situation altogether by hitting ‘exit’ when prompted to ‘allow’ or ‘deny’ the new remote device.

-- Brian Donohue at threatpost.com

High school student trying to crack a system to download a game for free? Cyberattack declared!

Misconfigured hardware or software causing a denial of service problem? Cyberattack declared!

Anything that seems at all out of the ordinary and you want to pass the buck as quickly as possible? Cyberattack declared!

-- Lauren Weinstein

Comments (none posted)

Fuzzing for Security (The Chromium Blog)

A posting on the Chromium blog describes the project's efforts to do fuzz testing of the browser. "Chrome’s fuzzing infrastructure (affectionately named "ClusterFuzz") is built on top of a cluster of several hundred virtual machines running approximately six-thousand simultaneous Chrome instances. ClusterFuzz automatically grabs the most current Chrome LKGR (Last Known Good Revision), and hammers away at it to the tune of around fifty-million test cases a day. That capacity has roughly quadrupled since the system’s inception, and we plan to quadruple it again over the next few weeks. [...] To appreciate just what that means, consider that ClusterFuzz has detected 95 unique vulnerabilities since we brought it fully online at the end of last year. In that time, 44 of those vulnerabilities were identified and fixed before they ever had a chance to make it out to a stable release." There is mention of pushing the fixes upstream to WebKit and FFmpeg, but there is no mention of whether the ClusterFuzz code will be made available, unfortunately.

Comments (15 posted)

The Tor Project's New Tool Aims To Map Out Internet Censorship (Forbes)

The OONI-probe (Open Observatory of Network Interference) is an early attempt to "collect data about local meddling with the computer’s network connections, whether it be censorship, surveillance or selective bandwidth slowdowns." Forbes takes a look at this new effort by Tor developers Arturo Filasto and Jacob Appelbaum. "Tor’s OONI project, funded in part with a grant from Radio Free Asia, isn’t the first to monitor and measure Internet censorship around the world–other projects like the Open Net Initiative, the Berkman Center’s HerdictWeb and Google’s Transparency Report all aim to spot censorship and Internet slowdowns. But unlike those projects, OONI uses only open-source software and plans to make the raw data gathered by its tools public and accessible to any researcher. “This came from a bit of disappointment over the fact that all the existing tools out there for monitoring censorship were either not using open methodologies or not making their data available,” says Filasto, a 21-year old computer science student at Rome’s Sapienza university. “Our goal with OONI is to build that open framework, so that researchers can independently prove that the methodology is valid and repeat the tests.”" (Thanks to Paul Wise)

Comments (11 posted)

New vulnerabilities

bugzilla: security bypass/cross-site scripting

Package(s):bugzilla CVE #(s):CVE-2012-0466 CVE-2012-0465
Created:May 1, 2012 Updated:May 2, 2012
Description: From the CVE entries:

template/en/default/list/list.js.tmpl in Bugzilla 2.x and 3.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1 does not properly handle multiple logins, which allows remote attackers to conduct cross-site scripting (XSS) attacks and obtain sensitive bug information via a crafted web page. (CVE-2012-0466)

Bugzilla 3.5.x and 3.6.x before 3.6.9, 3.7.x and 4.0.x before 4.0.6, and 4.1.x and 4.2.x before 4.2.1, when the inbound_proxies option is enabled, does not properly validate the X-Forwarded-For HTTP header, which allows remote attackers to bypass the lockout policy via a series of authentication requests with (1) different IP address strings in this header or (2) a long string in this header. (CVE-2012-0465)

Alerts:
Fedora FEDORA-2012-6396 bugzilla 2012-05-01
Fedora FEDORA-2012-6368 bugzilla 2012-05-01

Comments (none posted)

cifs-utils: file existence disclosure flaw

Package(s):cifs-utils CVE #(s):CVE-2012-1586
Created:May 1, 2012 Updated:July 16, 2012
Description: From the Red Hat bugzilla:

A file existence disclosure flaw was found in the way mount.cifs tool of the Samba SMB/CIFS tools suite performed mount of a Linux CIFS (Common Internet File System) filesystem. A local user, able to mount a remote CIFS share / target to a local directory could use this flaw to confirm (non) existence of a file system object (file, directory or process descriptor) via error messages generated during the mount.cifs tool run.

Alerts:
SUSE SUSE-SU-2013:0325-1 Samba 2013-02-22
Mageia MGASA-2012-0162 samba 2012-07-13
CentOS CESA-2012:0902 cifs-utils 2012-07-10
Scientific Linux SL-cifs-20120709 cifs-utils 2012-07-09
Oracle ELSA-2012-0902 cifs-utils 2012-07-02
openSUSE openSUSE-SU-2012:0607-1 cifs-utils 2012-05-10
Mandriva MDVSA-2012:070 samba 2012-05-04
Mandriva MDVSA-2012:069 cifs-utils 2012-05-04
Red Hat RHSA-2012:0902-04 cifs-utils 2012-06-20
Fedora FEDORA-2012-6398 cifs-utils 2012-05-01
Fedora FEDORA-2012-6375 cifs-utils 2012-05-01

Comments (none posted)

gridengine: code injection

Package(s):gridengine CVE #(s):
Created:April 27, 2012 Updated:May 2, 2012
Description: From the Fedora advisory:

Security update to prevent environment code injection and two other security issues.

Alerts:
Fedora FEDORA-2012-6177 gridengine 2012-04-27
Fedora FEDORA-2012-6179 gridengine 2012-04-27

Comments (none posted)

imagemagick: code execution

Package(s):imagemagick CVE #(s):CVE-2012-0259 CVE-2012-0260 CVE-2012-1185 CVE-2012-1186 CVE-2012-1610 CVE-2012-1798
Created:April 30, 2012 Updated:May 19, 2014
Description: From the Debian advisory:

Several integer overflows and missing input validations were discovered in the ImageMagick image manipulation suite, resulting in the execution of arbitrary code or denial of service.

Alerts:
Gentoo 201405-09 imagemagick 2014-05-17
Ubuntu USN-2132-1 imagemagick 2014-03-06
Fedora FEDORA-2012-9313 ImageMagick 2012-06-22
Oracle ELSA-2012-0545 ImageMagick 2012-05-08
Oracle ELSA-2012-0544 ImageMagick 2012-05-08
Scientific Linux SL-Imag-20120508 ImageMagick 2012-05-08
Scientific Linux SL-Imag-20120508 ImageMagick 2012-05-08
CentOS CESA-2012:0545 ImageMagick 2012-05-07
CentOS CESA-2012:0544 ImageMagick 2012-05-07
Red Hat RHSA-2012:0545-01 ImageMagick 2012-05-07
Red Hat RHSA-2012:0544-01 ImageMagick 2012-05-07
Debian DSA-2462-2 imagemagick 2012-05-03
Ubuntu USN-1435-1 imagemagick 2012-05-01
Debian DSA-2462-1 imagemagick 2012-04-29
openSUSE openSUSE-SU-2012:0692-1 ImageMagick 2012-06-04
Mandriva MDVSA-2012:078 imagemagick 2012-05-17
Mandriva MDVSA-2012:077 imagemagick 2012-05-17

Comments (none posted)

Messaging: unauthorized cluster access

Package(s):Messaging CVE #(s):CVE-2011-3620
Created:May 1, 2012 Updated:May 2, 2012
Description: From the Red Hat advisory:

It was found that Qpid accepted any password or SASL mechanism, provided the remote user knew a valid cluster username. This could give a remote attacker unauthorized access to the cluster, exposing cluster messages and internal Qpid/MRG configurations.

Alerts:
Red Hat RHSA-2012:0529-01 Messaging 2012-04-30
Red Hat RHSA-2012:0528-01 Messaging 2012-04-30

Comments (none posted)

mozilla: multiple vulnerabilities

Package(s):firefox, thunderbird, seamonkey, xulrunner CVE #(s):CVE-2011-1187 CVE-2011-2986 CVE-2012-0475
Created:April 27, 2012 Updated:July 23, 2012
Description: From the CVE entries:

Google Chrome before 10.0.648.127 allows remote attackers to bypass the Same Origin Policy via unspecified vectors, related to an "error message leak." (CVE-2011-1187)

Mozilla Firefox 4.x through 5, Thunderbird before 6, SeaMonkey 2.x before 2.3, and possibly other products, when the Direct2D (aka D2D) API is used on Windows, allows remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. (CVE-2011-2986)

Mozilla Firefox 4.x through 11.0, Thunderbird 5.0 through 11.0, and SeaMonkey before 2.9 do not properly construct the Origin and Sec-WebSocket-Origin HTTP headers, which might allow remote attackers to bypass an IPv6 literal ACL via a cross-site (1) XMLHttpRequest or (2) WebSocket operation involving a nonstandard port number and an IPv6 address that contains certain zero fields. (CVE-2012-0475)

Alerts:
openSUSE openSUSE-SU-2014:1100-1 Firefox 2014-09-09
Gentoo 201301-01 firefox 2013-01-07
Mageia MGASA-2012-0176 iceape 2012-07-21
Fedora FEDORA-2012-9079 thunderbird-lightning 2012-06-26
Fedora FEDORA-2012-9037 thunderbird-lightning 2012-06-26
Fedora FEDORA-2012-9079 thunderbird 2012-06-26
Fedora FEDORA-2012-9037 thunderbird 2012-06-26
Ubuntu USN-1430-3 thunderbird 2012-05-04
SUSE SUSE-SU-2012:0580-1 Mozilla Firefox 2012-05-02
SUSE SUSE-SU-2012:0688-1 MozillaFirefox 2012-06-02
Fedora FEDORA-2012-6610 perl-Gtk2-MozEmbed 2012-05-01
Fedora FEDORA-2012-6610 gnome-python2-extras 2012-05-01
Fedora FEDORA-2012-6610 xulrunner 2012-05-01
Fedora FEDORA-2012-6610 firefox 2012-05-01
Fedora FEDORA-2012-6738 thunderbird-lightning 2012-04-29
Fedora FEDORA-2012-6738 thunderbird 2012-04-29
Ubuntu USN-1430-2 ubufox 2012-04-27
Ubuntu USN-1430-1 firefox 2012-04-27
openSUSE openSUSE-SU-2012:0567-1 firefox, thunderbird, seamonkey, xulrunner 2012-04-27
Ubuntu USN-1430-4 apparmor 2012-06-12
Fedora FEDORA-2012-9001 thunderbird-lightning 2012-06-10
Fedora FEDORA-2012-9001 thunderbird 2012-06-10

Comments (none posted)

nginx: code execution

Package(s):nginx CVE #(s):CVE-2012-2089
Created:May 1, 2012 Updated:June 21, 2012
Description: From the CVE entry:

Buffer overflow in ngx_http_mp4_module.c in the ngx_http_mp4_module module in nginx 1.0.7 through 1.0.14 and 1.1.3 through 1.1.18, when the mp4 directive is used, allows remote attackers to cause a denial of service (memory overwrite) or possibly execute arbitrary code via a crafted MP4 file.

Alerts:
Gentoo 201206-07 nginx 2012-06-21
Fedora FEDORA-2012-6371 nginx 2012-05-01
Fedora FEDORA-2012-6411 nginx 2012-05-01

Comments (none posted)

openstack-nova: denial of service

Package(s):openstack-nova CVE #(s):CVE-2012-2101
Created:May 1, 2012 Updated:May 4, 2012
Description: From the Red Hat bugzilla:

Dan Prince reported a vulnerability in Nova. He discovered that there was no limit on the number of security group rules a user can create. By creating a very large set of rules, an unreasonable number of iptables rules will be created on compute nodes, resulting in a denial of service.

Alerts:
Ubuntu USN-1438-1 nova 2012-05-03
Fedora FEDORA-2012-6365 openstack-nova 2012-05-01

Comments (none posted)

rubygems: require valid certificates

Package(s):rubygems CVE #(s):CVE-2012-2125 CVE-2012-2126
Created:May 1, 2012 Updated:September 5, 2013
Description: From the Rubygems history:

This release increases the security used when RubyGems is talking to an https server. If you use a custom RubyGems server over SSL, this release will cause RubyGems to no longer connect unless your SSL cert is globally valid.

Alerts:
Red Hat RHSA-2013:1852-01 MRG 2013-12-17
Red Hat RHSA-2013:1851-01 MRG 2013-12-17
Oracle ELSA-2013-1441 rubygems 2013-10-18
CentOS CESA-2013:1441 rubygems 2013-10-18
Scientific Linux SLSA-2013:1441-1 rubygems 2013-10-17
Red Hat RHSA-2013:1441-01 rubygems 2013-10-17
Red Hat RHSA-2013:1203-01 rubygems 2013-09-04
Ubuntu USN-1582-1 rubygems 2012-09-25
Ubuntu USN-1583-1 ruby1.9.1 2012-09-25
Fedora FEDORA-2012-6414 rubygems 2012-05-01
Fedora FEDORA-2012-6409 rubygems 2012-05-01

Comments (none posted)

samba: privilege escalation

Package(s):samba CVE #(s):CVE-2012-2111
Created:May 1, 2012 Updated:May 7, 2012
Description: From the CVE entry:

The (1) CreateAccount, (2) OpenAccount, (3) AddAccountRights, and (4) RemoveAccountRights LSA RPC procedures in smbd in Samba 3.4.x before 3.4.17, 3.5.x before 3.5.15, and 3.6.x before 3.6.5 do not properly restrict modifications to the privileges database, which allows remote authenticated users to obtain the "take ownership" privilege via an LSA connection.

Alerts:
Gentoo 201206-22 samba 2012-06-24
SUSE SUSE-SU-2012:0591-1 Samba 2012-05-07
openSUSE openSUSE-SU-2012:0583-1 samba 2012-05-04
Fedora FEDORA-2012-7006 samba 2012-05-03
Fedora FEDORA-2012-6999 samba 2012-05-03
Debian DSA-2463-1 samba 2012-05-02
Oracle ELSA-2012-0533 samba 2012-05-01
Oracle ELSA-2012-0533 samba 2012-05-01
Ubuntu USN-1434-1 samba 2012-05-01
Mandriva MDVSA-2012:067 samba 2012-05-01
CentOS CESA-2012:0533 samba 2012-05-01
SUSE SUSE-SU-2012:0575-1 Samba 2012-05-01
SUSE SUSE-SU-2012:0573-1 Samba 2012-05-01
Scientific Linux SL-samb-20120430 samba 2012-04-30
CentOS CESA-2012:0533 samba 2012-04-30
Red Hat RHSA-2012:0533-01 samba 2012-04-30

Comments (none posted)

spip: multiple vulnerabilities

Package(s):spip CVE #(s):
Created:April 27, 2012 Updated:May 2, 2012
Description: From the Debian advisory:

Several vulnerabilities have been found in SPIP, a website engine for publishing, resulting in cross-site scripting, script code injection and bypass of restrictions.

Alerts:
Debian DSA-2461-1 spip 2012-04-26

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds